SR-D52785 · Issue 518408
Cross-site scripting protection added to layout runtime java and whitelist validation available for host/XFHost
Resolved in Pega Version 8.3.2
In order to protect against Cross-site scripting issues, filtering has been added to the RepeatDynamicIndex parameter value in layout runtime java. In addition, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D52969 · Issue 514702
Column population honors thread count of 1
Resolved in Pega Version 8.3.2
The thread count parameter in the column population activity was not being honored, causing repeated deadlocks when trying to populate columns. Investigation showed that the ExposeCols process did not honor the thread count when it was 1 (the default is 4), and this has been fixed by adding the necessary code so that if the thread count is 1, it will not run in multhreaded mode.
SR-D53838 · Issue 521478
Run Ruleset Cleanup defaults to true
Resolved in Pega Version 8.3.2
After upgrade, the rule categories and rules were not showing correctly in the App view of the Dev Portal. Many warning messages were also logged related to the Decisioning DM Sample application. This was traced to the rules cleanup script not running properly. While there was a workaround of applying the ruleset cleanup scripts manually after removing the queries that reference the pr_engineclasses table, the cleanup will now be set to run by default (run.ruleset.cleanup=true). In addition, the logic to determine which RuleSets to include has been simplified and most of the pr4_rule_vw deletions have been combined.
SR-D54319 · Issue 532526
API added to sync presence with requestor to clear inactive operator sessions
Resolved in Pega Version 8.3.2
An intermittent error message was seen indicating the maximum number of active sessions for the current operator had been reached even though there were not multiple logins and there was no requestor displayed in the requestor management landing page. This was traced to sessions that were not properly closed and cleared, and has been resolved by exposing an API that will sync the presence record with the requestor state so inactive sessions will be cleared.
SR-D54628 · Issue 524567
jFreeChart upgraded
Resolved in Pega Version 8.3.2
Chart generation activities have been updated to use JFreeChart v1.0.19.
SR-D55160 · Issue 520354
Namibia and Botswana added to Currency Symbol values
Resolved in Pega Version 8.3.2
Support has been added for the Namibia (en_NA) and Botswana (en_BW) locales in the default Currency Symbol values.
SR-D55449 · Issue 523501
Cross-site scripting protection added to layout runtime java and whitelist validation available for host/XFHost
Resolved in Pega Version 8.3.2
In order to protect against Cross-site scripting issues, filtering has been added to the RepeatDynamicIndex parameter value in layout runtime java. In addition, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D55508 · Issue 521859
CSRF and Fingerprint token handling added to custom URL generation
Resolved in Pega Version 8.3.2
An error screen appeared with the message "Server response error, no update data returned" while doing a check out and check in of the offer rule. This was traced to CSRF token validation: in this scenario, a custom URL was being framed and the corresponding request did not have a valid CSRF/ Fingerprint token, which can occur when there are custom AJAX/Non-ajax URLs constructed manually in the non-autogenerated/HTML streams. To address this, handling has been added for CSRF and fingerprint tokens as part of the custom URL generation.
SR-D56063 · Issue 522857
Hazelcast upgraded to resolve node startup issue
Resolved in Pega Version 8.3.2
Post data upgrade, the ADM tier failed to start and the error "java.lang.IllegalStateException: Node failed to start!" appeared. This was traced to a dormant bug in Hazelcast 3.11 that caused starting nodes to fail when the Hazelcast master node was shutting down, which was exposed by recent Pega changes made to enable parallel restarts of nodes in Cloud environments. Hazelcast delivered a fix for the parallel restart problem and the hotfixed jar has been merged into the platform. In addition, previous logic for loading Admin Studio waited 30 seconds before timing out when fetching information for each node. This caused issues with large clusters and Admin Studio not loading. The logic has been updated in the Admin Studio UI to load the page despite delays/issues waiting for nodes to respond to the gathering of cluster data, and the algorithm to detect remote-call timeout has been updated and is applicable to batch operation.
SR-D56409 · Issue 520742
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.3.2
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.